Dissecting OCR HIPAA Penalties: Why small breaches continue to drive big settlements and penalties

It is unsurprising that big data breaches lead to big costs (we see you Facebook). You would be forgiven, then, for assuming that large HIPAA settlements in the headlines are due only to large data breaches. You would be forgiven, but you would be wrong. Some of OCR’s biggest settlements have resulted from disclosures affecting very small groups of individuals (e.g., Memorial Hermann Health System ($2.4M, 1 person affected); New York Presbyterian Hospital ($2.2M, 2 people affected); St. Luke’s ($387K, 2 people affected)).

In the last month, OCR has announced three enforcement actions with penalties totaling more than $6.7M. In each case, the PHI disclosures were modest in size. And these big totals also were achieved in spite of OCR’s decision in April to reduce the maximum annual penalty it is entitled to pursue for identical violations. Previously, OCR could charge violations at a variety of penalty tiers, all with a maximum annual cap of $1.5M. Under the new structure, annual maximums for lower-penalty tiers range from $25K to $250K. Only violations caused by willful neglect that remain uncorrected are still subject to the $1.5M annual maximum.

Read the full article on LinkedIn.